We have a client that would like to get emailed alerts when an account with administrative privileges logs in. I've found two events that occur together that indicate the use of an administrative account (Windows Event ID's 4624 and 4672). For example, Event ID 4624 says "Logon "<domain>\ryan.butler"", and Event ID 4672 says "Privilege assigned to new logon "<domain>\ryan.butler"". I would like to build a rule for if those two events occur for the same username within a short period of time, send an email alert. Is there a way to do this? See attached screenshots for the two events.
↧